Comcast turned on the Xfinity Wi-Fi hotspots on Tuesday afternoon. This is what it looks like in a list of available Wi-Fi networks.

Comcast turned on the Xfinity Wi-Fi hotspots on Tuesday afternoon. This is what it looks like in a list of available Wi-Fi networks.

Photo: Chris Hokanson

Image 2 of 14

The Linksys WRT1900AC router is a good - if expensive - choice to replace Comcast's own router.

The Linksys WRT1900AC router is a good - if expensive - choice to replace Comcast's own router.

Photo: Linksys

Image 3 of 14

The Arris Motorola Surfboard SB6141 cable modem is approved for use on Comcast's network.

The Arris Motorola Surfboard SB6141 cable modem is approved for use on Comcast's network.

Photo: Motorola

Image 4 of 14

An Arris Touchstone Telephony Wireless Gateway Modem. Comcast has been distributing these to customers for about two years.

An Arris Touchstone Telephony Wireless Gateway Modem. Comcast has been distributing these to customers for about two years.

Photo: Melissa Phillip / Houston Chronicle

Image 5 of 14

Image 6 of 14

Thomas Cable, a Comcast installation technician, installs an XB-3 wireless gateway in a home Monday, June 9, 2014, in Houston.

Thomas Cable, a Comcast installation technician, installs an XB-3 wireless gateway in a home Monday, June 9, 2014, in Houston.

Photo: Melissa Phillip / Houston Chronicle

Image 7 of 14

Thomas Cable, a Comcast installation technician, installs an XB-3 wireless gateway in a home Monday, June 9, 2014, in Houston.

Thomas Cable, a Comcast installation technician, installs an XB-3 wireless gateway in a home Monday, June 9, 2014, in Houston.

Photo: Melissa Phillip / Houston Chronicle

Image 8 of 14

To opt out of the Xfinity Wi-Fi free hotspot, log in to <a href="http://customer.comcast.com/" target="_blank">customer.comcast.com</a> and choose Users & Preferences.

To opt out of the Xfinity Wi-Fi free hotspot, log in to <a href="http://customer.comcast.com/" target="_blank">customer.comcast.com</a> and choose Users & Preferences.

Photo: Houston Chronicle

Image 9 of 14

Under the "Service Address" category, click the link for "Manage Xfinity Wi-Fi".

Under the "Service Address" category, click the link for "Manage Xfinity Wi-Fi".

Photo: Houston Chronicle

Image 10 of 14

Image 11 of 14

Click the button for "Disable Xfinity Wifi Home Hotspot", then click Save.

Click the button for "Disable Xfinity Wifi Home Hotspot", then click Save.

Photo: Comcast

Image 12 of 14

Comcast's Xfinity Wi-Fi app for iOS and Android devices has a map that shows the location of business-related hotspots. The hotspots generated by residential routers don't show up here.

Comcast's Xfinity Wi-Fi app for iOS and Android devices has a map that shows the location of business-related hotspots. The hotspots generated by residential routers don't show up here.

Photo: Houston Chronicle

Image 13 of 14

The apps can also show the hotspots in list form. Again, residential hotspots don't appear here.

The apps can also show the hotspots in list form. Again, residential hotspots don't appear here.

Photo: Houston Chronicle

Image 14 of 14

Popular SB6141 cable modem vulnerable to reboot attack [Updated x3]

1 / 14

Back to Gallery

[Note: Comcast is pushing out a fix for this flaw to affected modems on its network. See the update below.]

One of the most popular posts on TechBlog is a June 2014 item on how to use your own modem and router with Comcast’s service, rather than the combo unit the cable company typically rents to its residential customers. In it, I recommended the Arris Motorola SurfBoard SB6141 as the cable modem to use. And if you’ve taken my advice and bought that modem, there’s something you should know.

Security researcher David Longenecker has discovered a flaw in that particular model that could cause a denial of service for its users. In other words, an evildoer could use it to prevent an SB6141 user from getting out to the Internet.

According to Longenecker, the SB6141 allows a user to access Web-based administration screens by going to 192.168.100.1 in a browser. No login or password is required to access it. If you’ve got one of these modems, give it a try. You may see something like this:

Included within this interface is the ability to reset the modem. A user can be tricked into clicking on a simple link that will reboot the SB6141, and you can see a proof of concept here. Note that if you have one of these modems with this flaw, and you click the link, your modem WILL reboot.

Normally, you’d have to be sitting at a computer on the same network as the modem to trigger a reboot. But the link above takes advantage of the fact that you can mask a local Web page address as an image file. As Longenecker describes it:

Did you know that a web browser doesn’t really care whether an “image” file is really an image? Causing a modem to reboot is as simple as including an “image” in any other webpage you might happen to open – which is exactly the approach taken on the RebootMyModem.net proof of concept:

<img src=”http://192.168.100.1/reset.htm”>

Of course it’s not a real image, but the web browser doesn’t know that until it requests the file from the modem IP address – which of course causes the modem to reboot. Imagine creating an advertisement with that line of code, and submitting it to a widely-used ad network…

One other thing to note: A similar approach can be used to reset the modem to its factory settings. It would then take a while to reconnect as the modem negotiates with the cable network. In some cases, you may have to contact the provider in order to get the SB6141 reauthenticated.

How widespread is this issue? Arris claims this is the most popular cable modem in the world, and it’s been bought by consumers as as well deployed by cable providers. It’s in common use on Time Warner’s network. It’s not clear if it has been deployed by Comcast in the Houston area, but it has been used by Comcast in other markets in the past. Currently, Comcast in Houston has been using a combination modem/router that is also made by Arris. The manufacturer says only a “subset” of its 135 million SB6141 modems in production are vulnerable to this issue, but it’s not clear what that means in terms of real numbers.

The company has released a patch for the flaw, but it’s not a simple matter of an SB6141 owner downloading the fix and applying it. Cable modems aren’t upgradeable by users – even if you bought the modem yourself – and any firmware updates must be handled through the Internet provider. Arris says it’s in the process of getting the patch out to ISPs.

I’ve emailed the local Comcast PR person and asked if the company plans to update its customers’ SB6141 modems. I’ll let you know if I hear back.

In the meantime, the product recommendation site The Wirecutter – which also recommends the SB6141 – has a workaround that can prevent someone on your local network from resetting the modem. It requires that you change some settings in your router to block access to the 192.168.100.1 address. Check your router’s documentation – available at the support area of its manufacturer’s website – to see how to do that.

Update 10.11.2016: Longenecker has updated his post to say that other SurfBoard models also have the flaw.

Update April 10: The original post was based on first-hand testing with the SURFboard 6141 modem. It turns out the same flaw existed in the older SURFboard 5100 model at least as early as 2008. Multiple individuals have also contacted me both publicly and privately to confirm the same flaw exists in the popular but dated 6121 model. In addition, Michael Horowitz wrote for Computerworld about this very issue in February 2015, and described blocking LAN access to the cable modem using router settings. If you do not use a router model that Michael demonstrates, the iptables rules at the end of the original post below will work on any Linux-based router that allows command line access.

Update 2.0: A Comcast spokesman says the company will push out Arris’ patch for the affected modems on an “expedited basis”, so it should be hitting customers’ devices soon. The patch will be applied regardless of whether the modem is leased or owned by a customers, and it will be “invisible”, the spokesman said. Owners of the affected modems will not need to take any action.

He also noted that there have been no known exploits of this flaw in the wild, and that no customers’ data has been compromised.